b'                                      U N ITE D    S TA TE S\n                 CONSUMER        PRODUCT SAFETY COMMISSION\n                               4330 E A S T WE S T H I G H WA Y\n                                  B ETH ES DA, MD 20814\n\n\n                            CHAI RM A N   INEZ M. TENENBAUM\n\n\n                                    November\n                                           I 8, 2009\n\n\n\nThe HonorablePeterOrszag\nDirector\nOffice of.Management  and Budget\n\'725- l\'l\'n Street,NW\nWashington,DC 20503\n\nDear DirectorOrszag:\n\n      As requiredby the OfTiceof Managementand Budget,the U.S. ConsumerProduct\nSafetyCommission(CPSC)is submittingthe Office of InspectorGeneral\'sFederal\nInformation Security ManagementAct (FISMA) 2009 report.\n\n       I havereviewedthe FISMA reportand agreewith the InspectorGeneral\'sassessment.\nOur plan to remediateany outstandingissueswill be reflectedin our quarterlyPlanof Action\nand Milestones.\n\n       Information technologysecurityand privacy compliancearecritical to the\nCommission\'smissionto protectthe public from unreasonable   risksof seriousinjury or\ndeathfrom  consumer  products\n                            underthe agency\'s jurisdiction. CPSCwill continueto\n               manasetheseareasto ensureour success.\nconscientior.rslv\n\n                                                  Verytrulyyours,\n\n\n                                                  Jr^-(        J\'   -*rrt--\n                                                  InezM. Tenenbaum\n\nEnclosure\n\n\n\n\n                  CPSCHollifle:          (2772)\n                             1-800-638-CPSC         WebSite:http://www.cpsc.gov\n                                              - CPSC\'S\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0cChief Information Officer 2009             Annual FISMA\nSection Report                             Annual FISMA\n                                              Report\n\n\n\n\n      Consumer Product Safety Commission\n\n\n\n\n                   For Official Use Only\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n\n1. Identify the number of Agency and contractor systems by component and FIPS 199 impact level (low, moderate, high). Please also\nidentify the number of systems that are used by your Agency but owned by another federal Agency (i.e., ePayroll, etc.) by component\nand FIPS 199 impact level.\n\n2. For the Total Number of Systems Identified by Component/Bureau and FIPS System Impact Level in the table for Question 1,\nidentify the number and percentage of systems which have: a current certification and accreditation, security controls tested and\nreviewed within the past year, and a contingency plan tested in accordance with policy.\n                                                   FISMA Inventory                                     Certification and Accreditation (C&A) and Testing\n\n                                    1a.            1b.            1c.           1d.                       2a.                               2b.                     2c.\n                                  Agency        Contractor     Systems         Total        Number of systems certified and             Number of               Number of\n                                  Systems        Systems       owned by       Systems                 accredited                       systems for          systems for which\n                                                               another                                                                which security        contingency plans\n                                                               Federal                                                                 controls have        have been tested in\n                                                                Agency                                                                 been tested           accordance with\n                                                                                                                                      and reviewed in             policy\n                                                                                                                                       the past year\nAgency/         Category            Number         Number         Number         Total        Total                           % of      Total     % of         Total      % of Total\nComponent                                                                      Number       Number                            Total   Number      Total      Number\nCPSC            High                        0              0              2             0         0                              0          0           0          0              0\n                Moderate                    1              0              1             1         1                           100           1       100            0              0\n                Low                         0              0              0             0         0                              0          0           0          0              0\n                Not Categorized             0              0              0             0         0                              0          0           0          0              0\n                Sub Total                   1              0              3             1         1                           100           1       100            0              0\nAgency Totals   High                        0              0              2             0         0                              0          0           0          0              0\n                Moderate                    1              0              1             1         1                           100           1       100            0              0\n                Low                         0              0              0             0         0                              0          0           0          0              0\n                Not Categorized             0              0              0             0         0                              0          0           0          0              0\n                Total Systems               1              0              3             1         1                           100           1       100            0              0\n\n\n\n\n2009 Annual FISMA Report - Consumer Product                               For Official Use Only                                                   CIO Report - Page 1 of 6\nSafety Commission\n\x0cQuestion 3: Implementation of Security Controls in NIST Special Publication 800-53\nWhat tools and techniques do you use for continuous monitoring?\n    Tool/Technique Name                                                             Tool Category\n    ISS RealSecure                                                                  Intrusion Detection and Prevention Systems\n    Zen Asset Management                                                            Inventory Management and Control Tool\n    eEye Retina                                                                     Vulnerability Scanners\n    Observation                                                                     Other\n    Hands-on control testing                                                        Other\n\n\nQuestion 4: Incident Detection, Monitoring and Reponse Capabilities\n\n4a. What tools, techniques, technologies, etc., does the Agency use for incident detection?\n\n    Tool/Technique Name                                                              Tool Category\n    Symantec Antivirus                                                               Antimalware Software\n\n    Kaspersky Client Security                                                        Antimalware Software\n\n    ISS Intrusion Detection                                                          Intrusion Detection and Prevention Systems\n\n    Zen Asset Management                                                             Inventory Management and Control Tool\n\n    CheckPoint Firewall                                                              Network Access Control\n\n    Blue Coat Internet Scanner                                                       Network Monitoring Software\n\n    eEye Retina                                                                      Vulnerability Scanners\n\n4b. How many systems (or networks of systems) are protected using the tools, techniques and technologies described in 4(a) above?\n    1\n\n4c. How often does the Agency log and monitor activities involving access to and modification of critical information?\n\n     0 % to 0 %\n\n\n4d. What percentage of systems maintain audit trails that provide a trace of user actions?\n     0 % to 0 %\n\n\n\n\n2009 Annual FISMA Report - Consumer Product                      For Official Use Only                                            CIO Report - Page 2 of 6\nSafety Commission\n\x0c4e. Does the Agency maintain an incident handling and response capability?\n     Yes\n\n\n\n4f. If the answer to 4(e) is yes, what percentage of systems are operated within the Agency\'s incident handling and response\ncapability?\n    100 % to 100 %\n\n4g. What tools, techniques, technologies, etc., does the Agency use for incident handling and response?\n\n     Tool/Technique Name                                                            Tool Category\n     Symantec                                                                       Antimalware Software\n     Kaspersky Client Security                                                      Antimalware Software\n     F-Secure                                                                       Antimalware Software\n     eEye Retina                                                                    Computer Forensic Tools\n     Nessus                                                                         Computer Forensic Tools\n     ISS Real Secure                                                                Intrusion Detection and Prevention Systems\n     Blue Coat                                                                      Network Monitoring Software\n     Fluke Networks Sniffer                                                         Network Monitoring Software\n\n\nQuestion 5: Security Awareness Training\n\n5a. Report the following for your Agency:\n\n     5a(1). Total number of people with log-in privileges to Agency systems.\n              555\n\n\n     5a(2). Number of people with log-in privileges to Agency systems that received information security awareness training during\n     the past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness\n     and Training Program."\n\n             437    (79%)\n\n\n\n\n2009 Annual FISMA Report - Consumer Product                     For Official Use Only                                            CIO Report - Page 3 of 6\nSafety Commission\n\x0c     5a(3). Number of people with log-in privileges to Agency systems that received information security awareness training using an\n     ISSLOB shared service center. (Breakout total for b.)\n\n             0    (0%)\n     5a(4). Total number of employees with significant information security responsibilities.\n\n             25\n     5a(5). Number of employees with significant security responsibilities that received specialized training as described in NIST\n     Special Publication 800-16, "Information Technology Security Training Requirements: A Role-and Performance-Based Model".\n             23    (92 %)\n     5a(6). Total costs for providing information security training in the past fiscal year (in $\'s).\n              $6,600\n\n5b. Briefly describe the training provided in 5a(2) and 5a(5) and how you measure its effectiveness:\n\n              Comments:        The CPSC IT security awareness training course explains proper rules of behavior for the use of CPSC IT systems\n                               and information. It also explains common security threats and vulnerabilities. Effectiveness is measured through the\n                               use of course quizzes.\n\nQuestion 6: Peer-to-Peer File Sharing\nDoes the Agency explain policies regarding the use of peer-to-peer file sharing in information security awareness training, ethics\ntraining, or any other Agency-wide training?\nNo\n\nQuestion 7: Configuration Management\n\n7a. Is there an Agency-wide configuration policy?\n     No\n     7a(1). Enter the systems/platforms/applications for which configuration policies exist and provide the implementation status.\n     Identify all that are applicable.\n      OS/Platform/System                                         Implementation Status\n      N/A\n                                                                 What tools and techniques is your Agency using for monitoring compliance?\n\n\n2009 Annual FISMA Report - Consumer Product                      For Official Use Only                                            CIO Report - Page 4 of 6\nSafety Commission\n\x0c     OS/Platform/System                                      Implementation Status\n      N/A\n                                                                   Tool/Technique Name                  Tool Category\n\n\n\n7b. Indicate the status of the implementation of FDCC at your Agency:\n\n     7b(1). Agency has documented deviations from FDCC standard configuration.\n\n             No\n     7b(2). New Federal Acquisition Regulation 2008-004 language, which modified "Part 39-Acquisition of Information Technology,"\n     is included in all contracts related to commons security settings.\n             No\n     7b(3). List the percentage of workstations and laptops that are in compliance.\n\n             90 % to 100 %\n\nQuestion 8: Systems Incident Reporting\n\nIndicate whether or not the Agency follows documented policies and procedures for reporting incidents internally, to US-CERT and to\nlaw enforcement.\n\n8a. How often does the Agency follow documented policies and procedures for identifying and reporting incidents internally?\n\n     90 % to 100 %\n8b. How often does the Agency comply with documented policies and procedures for timelines of reporting to US-CERT?\n\n     90 % to 100 %\n8c. How often does the Agency follow documented policies and procedures for reporting to law enforcement?\n\n     90 % to 100 %\n\n\n\n\n2009 Annual FISMA Report - Consumer Product                   For Official Use Only                                      CIO Report - Page 5 of 6\nSafety Commission\n\x0cQuestion 9: Performance Metrics for Security Policies and Procedures\nPlease provide three (3) outcome/output-based performance metrics your Agency uses to measure the effectiveness or efficiency of\nsecurity policies and procedures. The metrics must be different than the ones used in these FISMA reporting instructions, and can be\ntailored from NIST\'s Special Publication 800-55 "Performance Measurement Guide for Information Security."\n     Metric Name                                       Metric Description\n     System and Communication                          Measures the percentage of mobile computers and devices that perform all\n                                                       cryptographic operations using FIPS 140-2 validated cryptographic modules operating\n                                                       in approved modes of operation.\n     Physical Security Incidents                       Measures the percentage of physical security incidents allowing unauthorized entry into\n                                                       facilities containing information systems.\n     Incident Response                                 Measures the percentage of incidents reported within required time frame per applicable\n                                                       incident category.\n\nQuestion 10: HSPD-12\n\nNumber of FISMA applications in which Federal employees and contractors are using HSPD-12 Personal Identity Verification\ncredentials for access.\n0\n\n\n\n\n2009 Annual FISMA Report - Consumer Product                   For Official Use Only                                            CIO Report - Page 6 of 6\nSafety Commission\n\x0cInspector General                         2009\nSection Report                           Annual FISMA\n                                         Annual FISMA\n                                            Report\n\n\n\n\n   Consumer Product Safety Commission\n\n\n\n\n                 For Official Use Only\n\x0cQuestion 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls\nTesting, and Contingency Plan Testing\n1. Identify the number of Agency and contractor systems by component and FIPS 199 impact level (low, moderate, high) reviewed.\n\n\n\n2. For the Total Number of Reviewed Systems Identified by Component/Bureau and FIPS System Impact Level in the table for\nQuestion 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls\ntested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                               Question 1                                                                    Question 2\n\n                                           a.                      b.                          c.                     a.                        b.                        c.\n                                     Agency Systems        Contractor Systems         Total Number of             Number of            Number of systems          Number of systems\n                                                                                    Systems(Agency and         systems certified       for which security              for which\n                                                                                    Contractor systems)         and accredited         controls have been          contingency plans\n                                                                                                                                       tested and reviewed        have been tested in\n                                                                                                                                         in the past year           accordance with\n                                                                                                                                                                        policy\n\n\nAgency/Component   Category            Total     Number      Total       Number        Total         Number\n                                     Number     Reviewed    Number      Reviewed     Number         Reviewed\nCPSC               High                   0           0           0             0          0              0                        0                          0                         0\n                   Moderate               1           1           0             0          1              1                        1                          1                         0\n                   Low                    0           0           0             0          0              0                        0                          0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                          0                         0\n                   Sub Total              1           1           0             0          1              1                        1                          1                         0\nAgency Totals      High                   0           0           0             0          0              0                        0                          0                         0\n                   Moderate               1           1           0             0          1              1                        1                          1                         0\n                   Low                    0           0           0             0          0              0                        0                          0                         0\n                   Not Categorized        0           0           0             0          0              0                        0                          0                         0\n                   Total Systems          1           1           0             0          1              1                        1                          1                         0\n\n\n\n\n2009 Annual FISMA Report - Consumer Product Safety                      For Official Use Only                                                               IG Report - Page 1 of 7\nCommission\n\x0cQuestion 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\nThe Agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the Agency or other\norganization on behalf of the Agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and\nAgency policy.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their Agency or other organization on\nbehalf of their Agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another\nFederal Agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\n 3a. Does the Agency have policies for oversight of contractors?\n     No\n\n 3b. Does the Agency have a materially correct inventory of major information systems (including national security systems)\n operated by or under the control of such Agency?\n     Yes\n\n 3c. Does the Agency maintain an inventory of interfaces between the Agency systems and all other systems, such as those not\n operated by or under the control of the Agency?\n     No\n 3d. Does the Agency require agreements for interfaces between systems it owns or operates and other systems not operated by\n or under the control of the Agency?\n     Yes\n 3e. The Agency inventory is maintained and updated at least annually.\n     No\n 3f. The IG generally agrees with the CIO on the number of Agency-owned systems.\n     Yes\n\n 3g. The IG generally agrees with the CIO on the number of information systems used or operated by a contractor of the Agency or\n other organization on behalf of the Agency.\n     Yes\n\n\n2009 Annual FISMA Report - Consumer Product Safety            For Official Use Only                                           IG Report - Page 2 of 7\nCommission\n\x0cQuestion 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the Agency has developed, implemented, and is managing an Agency-wide plan of action and milestones (POA&M)\nprocess, providing explanatory detail in the area provided.\n\n4a. Has the Agency developed and documented an adequate policy that establishes a POA&M process for reporting IT security\ndeficiencies and tracking the status of remediation efforts?\n\n     Yes\n     4a(1). Has the Agency fully implemented the policy?\n\n              No\n4b. Is the Agency currently managing and operating a POA&M process?\n     Yes\n 4c. Is the Agency\'s POA&M process an Agency-wide process, incorporating all known IT security weakness, including\n IG/external audit findings associated with information systems used or operated by the Agency or by a contractor of the Agency or\n other organization on behalf of the Agency?\n     Yes\n\n 4d. Does the POA&M process prioritize IT security weakness to help ensure significant IT security weaknesses are corrected in\n a timely manner and receive appropriate resources?\n     Yes\n\n 4e. When an IT security weakness is identified, do program officials (including CIOs, if they own or operate a system) develop,\n implement, and manage POA&Ms for their system(s)?\n      No\n\n 4f. For Systems Reviewed:\n     4f(1). Are deficiencies tracked and remediated in a timely manner?\n            No\n\n\n2009 Annual FISMA Report - Consumer Product Safety             For Official Use Only                                         IG Report - Page 3 of 7\nCommission\n\x0c      4f(2). Are the remediation plans effective for correcting the security weakness?\n\n            No\n\n      4f(3). Are the estimated dates for remediation reasonable and adhered to?\n            No\n 4g. Do Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis (at\n least quarterly)?\n     No\n\n 4h. Does the Agency CIO centrally track, maintain, and independently review/validate POA&M activities on at least a quarterly\n basis?\n     No\n\nQuestion 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the Agency\'s certification and accreditation (C&A) process, including adherence to existing policy,\nguidance, and standards. Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation\nof Federal Information Systems" for C&A work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security\nCategorization of Federal Information and Information Systems," to determine a system impact level, as well as associated NIST\ndocuments used as guidance for completing risk assessments and security plans.\n\n 5a. Has the Agency developed and documented an adequate policy for establishing a C&A process that follows the NIST\n framework?\n     No\n 5b. Is the Agency currently managing and operating a C&A process in compliance with its policies?\n      No\n 5c. For Systems reviewed, does the C&A process adequately provide:\n      5c(1). Appropriate risk categories\n             Yes\n      5c(2). Adequate risk assessments\n             Yes\n      5c(3). Selection of appropriate controls\n\n2009 Annual FISMA Report - Consumer Product Safety             For Official Use Only                                        IG Report - Page 4 of 7\nCommission\n\x0c             Yes\n      5c(4). Adequate testing of controls\n             Yes\n      5c(5). Regular monitoring of system risks and the adequacy of controls\n             Yes\n 5d. For systems reviewed, is the Authorizing Official presented with complete and reliable C&A information to facilitate an\n informed system Authorization to Operate decision based on risks and controls implemented?\n      Yes\n\nQuestion 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\nProvide a qualitative assessment of the Agency\'s process, as discussed in the SAOP section, for protecting privacy-related information,\nincluding adherence to existing policy, guidance and standards. Provide explanatory information in the area provided.\n\n6a. Has the Agency developed and documented adequate policies that comply with OMB guidance in M-07-16, M-06-15, and\nM-06-16 for safeguarding privacy-related information?\n     Yes\n6b. Is the Agency currently managing and operating a privacy program with appropriate controls in compliance with its policies?\n     No\n6c. Has the Agency developed and documented an adequate policy for PIAs?\n     Yes\n6d. Has the Agency fully implemented the policy and is the Agency currently managing and operating a process for performing\nadequate PIAs?\n     No\n\nQuestion 7: Configuration Management\n\n 7a. Is there an Agency wide security configuration policy?\n     No\n\n\n\n\n2009 Annual FISMA Report - Consumer Product Safety             For Official Use Only                                           IG Report - Page 5 of 7\nCommission\n\x0c7a(1). For each OS/platform/system for which your Agency has a configuration policy, please indicate the status of implementation\nfor that policy.\n     OS/Platform/System                                  Implementation Status\n     N/A\n                                                         What tools and techniques is your Agency using for monitoring compliance?\n                                                                  Tool/Technique Name                   Tool Category\n\n\n\n\n 7b. Indicate the status of the implementation of Federal Desktop Core Configuration (FDCC) at your Agency:\n     7b(1). Agency has documented deviations from FDCC standard configuration.\n\n             No\n\n     7b(2). New Federal Acquisition Regulation 2008-004 language, which modified "Part 39-Acquisition of Information Technology,"\n     is included in all contracts related to common security settings.\n             No\n\nQuestion 8: Incident Reporting\n\n 8a. How often does the Agency comply with documented policies and procedures for identifying and reporting incidents internally?\n\n     100 % to 100 %\n\n 8b. How often does the Agency comply with documented policies and procedures for timely reporting of incidents to US-CERT?\n     100 % to 100 %\n\n 8c. How often does the Agency follow documented policies and procedures for reporting to law enforcement?\n     100 % to 100 %\n\nQuestion 9: Security Awareness Training\n\n\n2009 Annual FISMA Report - Consumer Product Safety           For Official Use Only                                        IG Report - Page 6 of 7\nCommission\n\x0cProvide an assessment of whether the Agency has provided IT security awareness training to all users with log-in privileges, including\ncontractors. Also provide an assessment of whether the Agency has provided appropriate training to employees with significant IT\nsecurity responsibilities.\n\n9a. Has the Agency developed and documented an adequate policy for identifying all general users, contractors, and system\nowners/employees who have log-in privileges, and providing them with suitable IT security awareness training?\n     Yes\n9b. Report the following for your Agency:\n     9b(1). Total number of people with log-in privileges to Agency systems.\n              555\n     9b(2). Number of people with log-in privileges to Agency systems that received information security awareness training during the\n     past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness and\n     Training Program."\n              437           (79 %)\n     9b(3). Total number of employees with significant information security responsibilities.\n             25\n     9b(4). Number of employees with significant security responsibilities that received specialized training, as described in NIST\n     Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model."\n\n             23            (92 %)\n\nQuestion 10: Peer-to-Peer File Sharing\n\n10. Does the Agency explain policies regarding the use of peer-to-peer file sharing in IT security awareness training, ethics training,\nor any other Agency-wide training?\n     No\n\n\n\n\n2009 Annual FISMA Report - Consumer Product Safety              For Official Use Only                                          IG Report - Page 7 of 7\nCommission\n\x0cSenior Agency Official for Privacy          2009\nSection Report                             AnnualFISMA\n                                          Annual  FISMA\n                                              Report\n\n\n\n\n     Consumer Product Safety Commission\n\n\n\n\n                  For Official Use Only\n\x0cQuestion 1: Information Security Systems\n\nIdentify the number of Agency and contractors systems that contain Federal information in identifiable form. Identify the number of Agency and\ncontractor systems for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act and identify the number of Agency and contractor\nsystems covered by an existing PIA. Please identify the number of systems for which a system of records notice (SORN) is required under the\nPrivacy Act and identify the number of systems for which a current SORN has been published in the Federal Register.\n\n                                     a.                                b.                                      c.                                      d.                                     e.\n                            Number of systems              Number of systems in            Number of systems in (b) covered               Number of systems in (a)         Number of systems in (d) for which\n                           that contain Federal           (a) for which a Privacy                    by an existing PIA                     for which a system or               a current SORN has been\n                              information in                Impact Assessment                                                             records notice (SORN) is          published in the Federal Register\n                             identifiable form            (PIA) is required under                                                        required under the Privacy\n                                                                the E-Gov Act                                                                         Act\n\n    Agency / Component   Agency    Contractor     Total   Agency    Contractor    Total    Agency     Contractor      Total        %      Agency    Contractor     Total   Agency    Contractor     Total        %\n                         Systems     Systems    Systems   Systems     Systems    Number    Systems      Systems     Number.   Complete    Systems     Systems    Number.   Systems     Systems     Number   Complete\n\nCPSC                         22            0        22        13            0       13          2             0          2       15%          22            0        22        21            0        21       95%\nTotal                        22            0        22        13            0       13          2             0          2       15%          22            0        22        21            0        21       95%\n\n\n\nQuestion 2: Links to PIAs and SORNS\n\n2a. The URL of the centrally located page on the Agency web site listing working links to Agency PIAs.\n        http://www.cpsc.gov/cpscpub/pubs/reports.html#pia\n\n2b. The URL of the centrally located page on the Agency web site listing working links to the published SORNs.\n        http://www.cpsc.gov/cpscpub/pubs/systems.html\n\nQuestion 3: Senior Agency Official for Privacy (SAOP) Responsibilities\n3a. Can your Agency demonstrate through documentation that the privacy official participates in all Agency information privacy\ncompliance activities (i.e., privacy policy as well as IT information policy)?\n    No\n\n3b. Can your Agency demonstrate through documentation that the privacy official participates in evaluating the ramifications for\nprivacy of legislative, regulatory and other policy proposals, as well as testimony and comments under Circular A-19?\n    No\n2009 Annual FISMA Report - Consumer Product                                               For Official Use Only                                                                SAOP Report - Page 1 of 6\nSafety Commission\n\x0c3c. Can your Agency demonstrate through documentation that the privacy official participates in assessing the impact of technology on\nthe privacy of personal information?\n    Yes\n\nQuestion 4: Information Privacy Training and Awareness\n\n4a. Does your Agency have a policy in place to ensure that all personnel (employees, contractors, etc.) with access to Federal data are\ngenerally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and\ndisclosure?\n    Yes\n\n4b. Does your Agency have a program for job-specific and comprehensive information privacy training for all personnel (employees,\ncontractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant\ninformation security responsibilities?\n     No\n\nQuestion 5: PIA and Web Privacy Policies and Processes\n\nDoes the Agency have a written policy or process for each of the following?\n5a. PIA Policies\n    5a(1). Determining whether a PIA is needed.\n            Yes\n    5a(2). Conducting a PIA.\n            Yes\n    5a(3). Evaluating changes in business process or technology that the PIA indicate as necessary.\n            No\n\n    5a(4). Ensuring systems owners and privacy and IT experts participate in conducting the PIA.\n            Yes\n\n    5a(5). Making PIAs available to the public in the required circumstances.\n            Yes\n2009 Annual FISMA Report - Consumer Product                     For Official Use Only                                        SAOP Report - Page 2 of 6\nSafety Commission\n\x0c    5a(6). Making PIAs available in other than required circumstances.\n             No\n5b. Web Policies\n\n    5b(1). Determining continued compliance with stated web policies.\n             No\n\n    5b(2). Requiring machine-readability of public-facing Agency web sites (i.e. use of P3P).\n            No\n\nQuestion 6: Reviews Mandated by Privacy Act of 1974, the E-Government Act of 2002, and the Federal\nAgency Data Mining Reporting Act of 2007\n                              a.          b.         c.        d.            e.             f.           g.            h.          i.            j.              k.                l.\n    Component / Bureau     Section M   Records     Routine   Exemp-       Matching       Training   Violations:    Violations:   System        (e)(3)          Privacy         Data Mining\n                           Contracts   Practices    Uses      tions       Programs                  Civil Action   Remedial        of        Statement         Impact            Impact\n                                                                                                                     Action      Record                      Assessments       Assessment\n                                                                                                                                                             and Updates\n  CPSC                        No          No         No               0              1     No           No             No               21               0                 7      No\n\n\nQuestion 7: Written Privacy Complaints\nIn the table provided, indicate the number of written complaints for each type of of privacy issue allegation received by the SAOP, in addition to the\nnumber of complaints for each type of complaint. Written complaints do not include Freedom of Information Act requests or Privacy Act access\nrequests.\n\n\n\n\n2009 Annual FISMA Report - Consumer Product                               For Official Use Only                                                              SAOP Report - Page 3 of 6\nSafety Commission\n\x0cType of Complaint                                                                                                           Number of Complaints\n7a. Process and Procedural - consent, collection, and appropriate notice.                                                                       0\n\n7b. Redress - non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy                                            0\nmatters.\n7c. Operational - inquiries regarding Privacy Act matters not including Privacy Act requests for access                                         0\nand/or correction.\n7d. Referrals - complaints referred to another Agency with jurisdiction.                                                                        0\n\nQuestion 8: Policy Compliance Review\n8a. Does the Agency have current documentation demonstrating review of compliance with information privacy laws, regulations, and\npolicies?\n     No\n\n8b. Can the Agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy\ndeficiencies identified in compliance reviews?\n    Yes\n\n8c. Does the Agency use technologies that enable continuous auditing of compliance with stated privacy policies and practices?\n    No\n\n8d. Does the Agency coordinate with the Agency\'s Inspector General on privacy program oversight?\n    Yes\n\nQuestion 9: Information About Advice Provided by the SAOP\nPlease state \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cNo\xe2\x80\x9d to indicate if the SAOP has provided formal written advice in each of the listed categories, and briefly\ndescribe the advice. For descriptions of training, please provide the number of employees (or contractors) who participated in the\ntraining.\n9a. Agency policies, orders, directives, or guidance governing Agency handling of personally identifiable information.\n    Yes\n\n\n9b. Written Agreements (either Interagency or with Non-Federal Entities).\n\n2009 Annual FISMA Report - Consumer Product                     For Official Use Only                                       SAOP Report - Page 4 of 6\nSafety Commission\n\x0c    No\n\n9c. Reviews or feedback outside of the SORN and PIA process (e.g. formal written advice in the context of a budgetary or\nprogrammatic planning).\n    No\n9d. Privacy Training (either stand-alone or included with training on related issues).\n    Stand Alone\n\nQuestion 10: Agency Use of Persistent Tracking Technology\n10a. Does the Agency use persistent tracking technology on any web site?\n      No\n10b. Does the Agency annually review the use of persistent tracking?\n      No\n\n10c. Can the Agency demonstrate through documentation the continued justification for, and approval to use, the persistent tracking\ntechnology?\n      No\n\n10d. Can the Agency provide the notice language or citation for the web privacy policy that informs visitors about the persistent\ntracking?\n      No\n\nQuestion 11: Privacy Points of Contact Information\n\n     Title / Role                                    Name                                Phone            E-Mail\n     Agency Head                                     Inez Tenenbaum                      301-504-7896       itenenbaum@cpsc.gov\n     Chief Information Officer                       Patrick Weddle                      301-504-7654       pweddle@cpsc.gov\n     Chief Information Security Officer              Patrick Manley                      301-504-6946       pmanley@cpsc.gov\n     Senior Agency Official for Privacy              Mary Kelsey                         301-504-7213       mkelsey@cpsc.gov\n     Agency Inspector General                        Christopher Dentel                  301-504-7644       cdentel@cpsc.gov\n     Chief Privacy Officer                           N/A\n     Privacy Advocate                                Linda Glatz                         301-504-7671       lglatz@cpsc.gov\n2009 Annual FISMA Report - Consumer Product                     For Official Use Only                                      SAOP Report - Page 5 of 6\nSafety Commission\n\x0c     Title / Role                               Name                             Phone          E-Mail\n     Privacy Act Officer                        Todd Stevenson                   301-504-6836    tstevenson@cpsc.gov\n     Reviewing Official for PIAs                Patrick Weddle                   301-504-7654    pweddle@cpsc.gov\n     POC for URL links provided in Question 2   Philip Margolies                 301-504-6987    pmargolies@cpsc.gov\n\n\n\n\n2009 Annual FISMA Report - Consumer Product              For Official Use Only                                 SAOP Report - Page 6 of 6\nSafety Commission\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'